commit 5b63302997915e71d9862cb4133f784e11c5c3dc
author Olav Haugan <ohaugan@codeaurora.org> Fri Oct 28 13:26:31 2011 -0700
committer Olav Haugan <ohaugan@codeaurora.org> Thu Nov 10 11:34:56 2011 -0800
tree f1086a085607e9b12c32f0839d09764c208c3e51
parent 99e7c7d593e4016c252e45f0ea67c045348918c7

msm: Fix overflow in stable_size()

stable_size() overflows when the physical memory address space
ends at 0xFFFFFFFF.

Change-Id: I84dcea257330c17c415f993645a8425104c8b01f
Signed-off-by: Olav Haugan <ohaugan@codeaurora.org>

arch/arm/mach-msm/memory.c

diff --git a/arch/arm/mach-msm/memory.c b/arch/arm/mach-msm/memory.c
index b9c963f..00f315d 100644
--- a/arch/arm/mach-msm/memory.c
+++ b/arch/arm/mach-msm/memory.c
@@ -219,8 +219,18 @@
 static unsigned long stable_size(struct membank *mb,
 	unsigned long unstable_limit)
 {
-	if (!unstable_limit || mb->start + mb->size <= unstable_limit)
+	unsigned long upper_limit = mb->start + mb->size;
+
+	if (!unstable_limit)
 		return mb->size;
+
+	/* Check for 32 bit roll-over */
+	if (upper_limit >= mb->start) {
+		/* If we didn't roll over we can safely make the check below */
+		if (upper_limit <= unstable_limit)
+			return mb->size;
+	}
+
 	if (mb->start >= unstable_limit)
 		return 0;
 	return unstable_limit - mb->start;
@@ -296,7 +306,7 @@
 			size = stable_size(mb,
 				reserve_info->low_unstable_address);
 			if (size >= mt->size) {
-				mt->start = mb->start + size - mt->size;
+				mt->start = mb->start + (size - mt->size);
 				ret = memblock_remove(mt->start, mt->size);
 				BUG_ON(ret);
 				break;